How to Extend CTRT for AES-256 and AES-192

Abstract

AONT (All-or-Nothing Transform) is a kind of (n, n)threshold secret sharing scheme that distributes a message m into a set of n shares such that the message m can be reconstructed if and only if n shares are collected. At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called CTRT) and proved its security in the ideal cipher model. Though AES-128, whose key length k = 128 and block length l = 128, can be used in CTRT as a block cipher, AES-256 and AES-192 cannot be used due to its intrinsic restriction of k ≤ l. In this paper, we propose an extended CTRT (for short, XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same CTRT security definition. Also, we discuss the security result of XCTRT in concrete parameter settings. For more flexibility of key length, we propose a variant of XCTRT dealing with l < k ≤ 2l by slightly modifying the construction of the last block. After showing implementation details and performance evaluation of CTRT, XCTRT, and the variant, we can say that our XCTRT and its variant have high-speed encoding and decoding performance and are quite practical enough to be deployed in real-world applications.